Business Continuity in Information Security

Being a management consulting company CUNIX caters needs of all organizations i.e. from small and medium enterprise to big MNCs having several offices across the globe. While interacting with Information Security practitioners, we found that many of them find difficulty in understanding the concept of Business Continuity with regards to Information Security Management System. Therefore, in this article, we shall be addressing these areas.

What is BCMS- Business Continuity Management System?

  • Business Continuity Management System specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
  • The standard for Business Continuity Management System is ISO 22301:2012
  • It was initially developed by ISO technical committee on societal security and published for the first time in May 2012.

In Information Security, not all the aspects of Business Continuity are covered. Only the selected aspects are covered like- Information Security Continuity and Redundancies.

According to ISO 27001, the Information Security Continuity broadly talks about following

1-Planning Information Security Continuity-

While building the ISMS manual, planning the InfoSec continuity is very important.

While planning, we need to consider the situations which have a catastrophic impact on the business like an earthquake, flood, terrorist attack, power failure, system breakdown, critical data breach (either by the internal or external entity), cyber-attack, hacking, political strike, tsunami, volcanic eruption etc. During such incidents, an organization has to be ready with ‘Plan B’ so that your Information Security is not at stake. You need to make sure that it stands uncompromised in any situation.

Planning Information Security Continuity comprises of following 3 steps-

Step-1: The organization needs to think all applicable situation (e.g. mentioned above) according to the geographic location, availability, manpower etc. E.g. if your office is in the historic or prime location of the city then there can be a possibility of a terrorist attack. Therefore, considering the information security the organization should have high physical security, a secret area to assemble and secure path to evacuate the office & locking the systems having confidential information.

Let’s take another example of floods.  Assume, you have an office in an area which is highly vulnerable to floods. Then, your plan shall depend upon which floor the office is situated.

If it’s on the ground or 1st floor, then the probability of water entering your office premises is high. Else, it won’t affect your systems etc. which are inside the office. In above both cases, the organization needs to be ready with the plans during floods if employees won’t be able to travel to the office from their homes due to the temporary collapse of public transport.

Step-2: The Information Security team needs to jot down all the applicable threats to the organization which may cause harm to Information Security of the company.

Now the question arises, how to bring together all the scenarios?

The answer is simple; the Information Security Team should sit and do a brainstorming session of all the situations. They need to check the historical data of past events which caused to the business continuity of organization.  There are several other methods to understand the critical situations & work upon them.

Step-3: After understanding all the scenarios, the organization needs to start evaluating the probable solution for all such events. Here the management involvement is required. After getting approval on the things like budget etc. only the InfoSec team can come up with a solution for the problems.

E.g. there are several industries where they keep the inflammable things outside their office (paper; printing industry).  Then the office is an area where the chances of catching the fire are high. To avoid fire, you need to ready with fire extinguishers, fire exit plan, assembly point etc.

Also, proper awareness & training sessions, mock drills should be conducted in regular intervals for employees

2- Implementing Information Security Continuity

Implementation phase comes after understanding & evaluating the various scenarios which may lead to having a catastrophic impact on the Information Security of the company. During this phase, the organization needs to start taking actions on what they have planned.

E.g. installing fire extinguishers, back up on the cloud, setting up a new business site (away from current location), installation of anti-virus etc.

The Information Security team should maintain logs for all the recurring activities. They can be produced as a proof of regular implementation during audits. The data can be captured by regularly filling the checklists. The checklists have all the recurring tasks for the remainder of the end user. The data can be filled in checklists according to a frequency like daily, weekly, monthly or quarterly.

3- Verify, Review and Evaluate Information Security Continuity

The organization needs to verify the established Information Security Continuity Controls at regular intervals. If there’s any change required to be made then it is reviewed and changed according to the need.

The organization needs to verify the established Information Security Continuity Controls at regular intervals. If there’s any change required to be made then it is reviewed and changed according to the need.

The effectiveness of the control also matters a lot for example if you have implemented the backup policy of senior management as 3 months but due to data loss and other problems if it’s not effective then it has to be reviewed. Based on the evaluation done, the back policy should be modified.

–Gunjar Fuley

isms policies

Indicative List of Policies to be framed for ISO 27001:2013

The organization should define information security related policies which is approved by management and sets the organization’s approach to managing its information security objectives.
a) Business Strategy, b) contracts, regulations and legislations and c) security threat environment are the source of requirements which “information security policies” should address.

What should “Information Security Policy” cover?

a) Definition of Information security, objectives and principles to direct all activities related to information security
b) Assignment of responsibilities of Information Security management to defined roles
c) Processes of handling non-conformities and exceptions

Indicative List of policies:

1) Information Security
2) Access control
3) Information classification and handling
4) Physical and environmental security
5) Acceptable use of assets
6) Clear Desk and clear screen
7) Information Transfer
8) Mobile device and teleworking
9) Restriction on software installations and use
10) Back-up
11) Protection from malware
12) Management of technical vulnerabilities
13) Cryptographic controls
14) Communication security
15) Privacy and protection of personally identifiable information
16) Supplier relationships
These policies should be communicated to relevant internal and stakeholders in the context of awareness of information security.

iso 27001

Structure of ISO 27001:2013

Controls (Annex A)

A.5: Information Security Policies – Controlling how policies are written and revised

A.6: Information Security Organization – Controls on how responsibilities are assigned; also includes controls for mobile devices

A.7: Human Resources Security – Pre-employment, during and after employment controls

A.8: Asset management – Asset inventory and acceptable use controls; also for information classification and media management

A.9: Access control – Access control policy, user access management, system and application access control

A.10: Cryptography – Encryption and Key Management Controls

A.11: Physical and environmental security – Controls defining secure areas, entry controls, protection against threats, security of the equipment, secure removal, clear desk and clear screen policy, etc.

A.12: Operational security – Procedures and responsibilities, malware, backup, logging, monitoring, installation, vulnerability etc.

A.13: Communications Security – Network security, information transfer, e-mail security checks etc.

A.14: Acquisition, development and maintenance of the system – Controls defining security requirements and security in the development and support processes

A.15: Vendor Relations – Controls on what to include in agreements and how to monitor suppliers

A.16: Information Security Incident Management – Controls to signal events and weaknesses, define responsibilities, assessment of events, response and learn from incidents and collection of evidences.

A.17: Aspects of information security in the management of continuity of operations – Controlling the planning, implementation and review of the continuity of information security operations.

A.18: Compliance – Controls Requiring the Identification of Applicable Laws and Regulations, Protection of Intellectual Property, Protection of Personal Data and Examination of the Security of Personal Information

One of the biggest myths about ISO 27001 implementation is that it is computer-centric. On the contrary it involves various aspects as mentioned above in Annexure.

Controls mentioned in Appendix A are essential part of ISO 27001 Implementation. As per the risk assessment, an organization can decide the applicability of the controls with valid rationale.

ISO 27001

What is ISO 27001?

ISO 27001 is a standard which helps organizations manage information security. It was published by International Standardization Organization (ISO). The latest revised version is ISO 27001:2013. First version was published in 2005. This standard was developed on British Standards BS 7799-2.

Which type of organizations can get certified for ISO 27001?

ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. ISO 27001 establishes framework for the implementation of information security management in an organization. Organizations can also get certified for ISO 27001. The independent certification bodies perform the audit and upon compliance with the standard, it issues the certificate to organizations.

What are the benefits of ISO 27001?

  1. New client acquisition and retention of old clients
  2. Avoid losses and penalties for data breaches
  3. Comply with business, legal and regulatory requirements
  4. Protect and enhance organization’s reputation
  5. Provide competitive advantage
  6. Consistency in the delivery of service or product
  7. Builds a culture of security

How ISO 27001 standard is structured?

ISO 27001 is split into 11 sections, plus Annex A. Sections 0 to 3 are introductory (and are not mandatory for implementation), while sections 4 to 10 are mandatory – meaning that all their requirements must be implemented in an organization if it wants to be compliant with the standard. Controls from Annex A must be implemented only if declared as applicable in the Statement of Applicability.

How to implement ISO 27001?

Steps involved are:

  1. Get Sponsorship for the project
  2. Define the scope for ISO 27001
  3. Conduct ISO 27001 Awareness Training
  4. Establish top-level Information security policy
  5. Prepare the asset list
  6. Perform the risk assessment and risk treatment
  7. Write the Statement of Applicability
  8. Prepare Risk treatment plan
  9. Implement all applicable controls and procedures
  10. Conduct Internal Auditor Training
  11. Perform internal audit
  12. Perform management review
  13. Implement corrective actions
  14. Conduct Certification Audits
Corporate Governance

ISO 27001 Certification by Cunix Describes Best practice for an Information Security Management System

We are living in a digital age when data of any magnitude can easily be captured, processed and stored. While this is great, we have bad news for you. There are criminals who want your precious business data so badly. They will do anything to get hold of it. Without a resolute data security system, you are in danger of losing valuable information. To install a steadfast data protection system, call Cunix InfoTech today. We implement the ISO27001 certification on behalf of our customers to boost their data security and increase the level of confidence received from various business associates.

Current and potential customers want the assurance that their private data will be kept safe. As well, stakeholders, suppliers, investors and other business associates feel confident about you when they know their data is not exposed to threats. Hence, our advice today is that you have us install the ISO 270001 on your behalf. We do it for our customers in various places: Pune, Mumbai, Qatar, Bangalore, Dubai and Kuwait. If you are based in any of these places, be sure to contact us. We can assure you that the process will be thorough, quick and legal.

Advantages to expect from ISO 27000

Implementing this certification system will be so beneficial that you will never regret it. This is even truer if you use a real expert like us. One thing you can be sure of is that ISO certification will make your business sound more credible, trustworthy and reliable to the customers. They will want to transact with you more often. Second, your business will comply with the current legislation in the nation, and defeat its rivals during contract negotiations. You have heard cases where organizations were sued because of mishandling private information. With this certification, your organization will never become a victim. As an ISO certification is accepted worldwide, it will make your business ready for international markets.

We implement all steps with you involved

Having an Information Security Management System installed by the best ISO Pune expert is much recommended. This is a professional who recognizes the fact that the client needs to know whats going on. The beginning step is usually the project initiation phase. We will send one of our gifted ISMS installers to come over at your place for explanations and discussions.

It is also during this phase that the team that will oversee the whole implementation process will be formed. To make sure that the selected team understands whats going on, our consult will introduce the ISO 27001 manual to it. A lot of action will happen during step two: system development phase. Our consultants will appear on your site to assess the gaps that might be within your current IT risk management system. The Statement of Applicability will then be made using the gap assessment data. Risk assessment and risk treatment plan will be done in this phase, in addition to other delicate tasks. During step three, our implementors will review the treatment plan and the ISMS. In the final stage, they will conduct the internal audit; do away with non-compliant items and perform the certification audit.

Hence, feel free to depend on CUNIX consulting services today. If you feel confused and do know where to begin, just give us a call.